Zoekveld

Protecting Drupal's fleshy underbelly with .htaccess

In this article, I’m going to show you a few methods to separate your public site from the vulnerable parts of your administration area. What you need is an effective way to keep your site locked and secure, and protected from attacks, while still leaving your site editable for trusted users.

Methods for securing the admin section of your site

One of the things that is often overlooked when setting up and securing a Drupal site is the administrative sections. Sure, Drupal protects these paths with access controls but you can do a lot more to protect your site, especially if your site doesn’t require public login.

If the public has no business accessing /user, they shouldn’t be able to. This path is an attack vector for denial of service (DDoS), brute force password guessing, and it drastically increases attack surface of the site.

Public/administrative separation has the additional benefit of protecting against some types of XSS and CSRF.

A typical server setup for Drupal might look something like this.

This diagram shows how public traffic and your administrators/content editors access the site from the same paths and web servers. For example, your public site is http://www.example.com and your administrators/content editors login to site via http://www.example.com/user

Don’t get me wrong, this is a tried and true method and serves the majority of the use cases out there. But we can do better. Your content administrators/content editors don’t need to be logging into the public site.

This diagram shows the administration edit server locked behind a secure DMZ firewall. I like this setup since now you have separated your public side and your administrative side. But how do you go about it?

Set up rewrite rules for .htaccess

On your public web servers run an .htaccess rule similar to the rule below. (If you are using Drupal 6, you should drop the dash.) There are a couple of caveats to be aware of, so you may need to tweak the rule to remove cron.php or xmlrpc.php.

Plain text

Filtered HTML

Use [acphone_sales], [acphone_sales_text], [acphone_support],
[acphone_international], [acphone_devcloud], [acphone_extra1] and
[acphone_extra2] as placeholders for Acquia phone numbers. Add class
"acquia-phones-link" to wrapper element to make number a link.

To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.